Introduction
Automatic SCEP enrollment is a feature where a network administrator can provide Client Authentication certificates to the users with minimal Administrative assistance. This results in less calls to help desk if planned and deployed correctly.
This document is based on the Configuration example http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080b25dc1.shtml
Requirements
ASA Code
Release Notes
http://www.cisco.com/en/US/products/ps8411/prod_release_notes_list.html
Licensing
Suggested reading http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/overview_c78-527488.html
Release Notes http://www.cisco.com/en/US/products/ps8411/prod_release_notes_list.html
Configuration basics
If you have followed the Configuration Example http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080b25dc1.shtml to the letter you will not face any problem for 2.5/2.4/IPhone/IPad/Android.
AnyConnect 3.0
3.0 Client behaves differently for SCEP enrollment and there are configuration changes required on the ASA to complete this task. The configuration for previous generation clients is incompatible with 3.0 (but with co-exists) and the configuration for 3.0 will not work for 2.x client.
The Profile requirement is same with one exception that <CAURL PromptForChallengePW="true"> {Password challenge should be TRUE} is a mandatory field without this you will not get an "Enroll" button and client will not try to fetch the certificate from the CA server.
In the tunnel-group you must have 'scep-enrollment enable' command.
In the group-policy you must have 'scep-forwarding-url <url>' command. The URL in this command will be same as <CAURL> in the profile.
The authentication method should be 'BOTH' Certificate and AAA.
The Anyconnect 3.0 does not use 'ssl certificate-authentication <interface> <port>' command to fail the client authentication but the authentication method to kick start the SCEP enrollment.